W dniu 14.08.2019 o 12:09, Reinis Rozitis pisze:
> It's questionable that a misconfigured environment is a "security" risk 
> caused by language rather than ignorance of the administrator. 

This is not about misconfigured environment. This is about accidental usage of 
*language* feature, which *by design* can lead to code leaks (so
application bug, not misconfigured environment). Clearly not a language problem 
that it has dedicated feature to shoot yourself in the foot...

> On that matter you could ask why are all the exec/passthru/proc_open etc 
> functions/features are allowed by default while every other guide on
hardening web suggests those to be disabled (added to disable_functions)?

These methods have their purpose (pretty important BTW), short open tags is 
just "don't use it!!!" feature.

Robert Korulczyk

PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to